Date: May 26th, 2023
Enumeration
NMAP
Two ports open:
22 - Standard SSH
80 - Apache 2.4.41 Webserver
Port 80 Apache Webserver
Directory Enumeration
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 3072 c2842ac1225a10f16616dda0f6046295 (RSA)
| ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCf7Zvn7fOyAWUwEI2aH/k8AyPehxzzuNC1v4AAlhDa4Off4085gRIH/
EXpjOoZSBvo8magsCH32JaKMMc59FSK4canP2I0VrXwkEX0F8PjA1TV4qgqXJI0zNVwFrfBORDdlCPNYiqRNF
p1vaxTqLOFuHt5r34134yRwczxTsD4Uf9Z6c7Yzr0GV6NL3baGHDeSZ/msTiFKFzLTTKbFkbU4SQYc7jIWjl0
ylQ6qtWivBiavEWTwkHHKWGg9WEdFpU2zjeYTrDNnaEfouD67dXznI+FiiTiFf4KC9/1C+msppC0o77nxTGI0
352wtBV9KjTU/Aja+zSTMDxoGVvo/BabczvRCTwhXxzVpWNe3YTGeoNESyUGLKA6kUBfFNICrJD2JR7pXYKuZ
VwpJUUCpy5n6MetnonUo0SoMg/fzqMWw2nCZOpKzVo9OdD8R/ZTnX/iQKGNNvgD7RkbxxFK5OA9TlvfvuRUQQ
aQP7+UctsaqG2F9gUfWorSdizFwfdKvRU=
| 256 429e2ff63e5adb51996271c48c223ebb (ECDSA)
| ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNIiJc4hdfcu/HtdZN1fyz/hU1SgSas1L
k/ncNc9UkfSDG2SQziJ/5SEj1AQhK0T4NdVeaMSDEunQnrmD1tJ9hg=
| 256 2ea0a56cd983e0016cb98a609b638672 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZhkboYdSkdR3n1G4sQtN4uO3hy89JxYkizKi6Sd/Ky
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher
🤓
ver: 2.10.0
───────────────────────────┬──────────────────────
🎯
Target Url │ http://10.10.120.101
🚀
Threads │ 50
📖
Wordlist │ /opt/raft-small-words.txt
👌
Status Codes │ All Status Codes!
💥
Timeout (secs) │ 7
🦡
User-Agent │ feroxbuster/2.10.0
💉
Config File │ /etc/feroxbuster/ferox-config.toml
I ran this first directory scan with only one extension (.html)
/pricing/note.txt
Interesting note, we have initials for a potential user (RP) and now we know there are notes spread
randomly on the website. I almost included .txt in the first ferox scan but wanted to keep my scan time
down (slow internet) lol. Lets go ahead and run another one.
Directory enumeration #2
I used the same wordlist for the second scan (raft small words) I didnt find any new pages or text files, I
included the extensions: txt, md, php. Its always a good idea to try a different wordlist (directory 2.3
medium is a solid one) but for now I'm just going to move on.
/static
🔎
Extract Links │ true
💾
Output File │ dir-enum/initial.ferox
💲
Extensions │ [html]
🏁
HTTP methods │ [GET]
🔃
Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁
Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 275c Auto-filtering found 404-like response and
created new filter; toggle off with --dont-filter
403 GET 9l 28w 278c Auto-filtering found 404-like response and
created new filter; toggle off with --dont-filter
200 GET 52l 106w 945c http://10.10.120.101/styles.css
200 GET 38l 129w 1163c http://10.10.120.101/index.html
200 GET 140l 394w 3940c http://10.10.120.101/gallery/gallery.html
200 GET 32l 61w 924c http://10.10.120.101/pricing/pricing.html
200 GET 38l 129w 1163c http://10.10.120.101/
200 GET 3l 10w 57c http://10.10.120.101/pricing/note.txt
301 GET 9l 28w 316c http://10.10.120.101/gallery =>
http://10.10.120.101/gallery/
301 GET 9l 28w 315c http://10.10.120.101/static =>
http://10.10.120.101/static/
301 GET 9l 28w 316c http://10.10.120.101/pricing =>
http://10.10.120.101/pricing/
[####################] - 4m 43024/43024 0s found:9 errors:0
[####################] - 4m 43010/43010 176/s http://10.10.120.101/
[####################] - 0s 43010/43010 273949/s http://10.10.120.101/gallery/
=> Directory listing
[####################] - 0s 43010/43010 127626/s http://10.10.120.101/pricing/
=> Directory listing
[####################] - 0s 43010/43010 358417/s http://10.10.120.101/static/
=> Directory listing
Navigating to /gallery/gallery.html presents with 18 photos.
Since I seen copyright 2001 (lmao) it just made me think of Steganography. I downloaded all the images
with a quick n dirty bash script.
Binwalk found a gzip file inside of image 16. I extracted it but keep getting errors when trying to open it, so
its either a red herring or a false positive.
At this point I tried everything I could think of to enumerate this webserver and couldnt find anything :( I
decided to run an all ports (-p-) nmap scan. (Should have done this initially.) There is an instance of vsftpd
3.0.3 running on port 37370, default creds and anonymous login didnt work.
More directory enumeration
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
2386269 0x24695D gzip compressed data, ASCII, has header CRC, has 1861
bytes of extra data, last modified: 2045-09-27 08:36:45 (bogus date)
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.120.101/static/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/raft-small-words.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
I decided to scan the /static directory, although ferox says its a listable directory when you navigate to
/static with no numbers after it you get this:
If its listable, there should be listings right? lol
/static/00
[+] Timeout: 10s
===============================================================
2023/05/26 23:59:55 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 278]
/.htm (Status: 403) [Size: 278]
/1 (Status: 200) [Size: 2473315]
/3 (Status: 200) [Size: 421858]
/. (Status: 200) [Size: 567]
/2 (Status: 200) [Size: 3627113]
/5 (Status: 200) [Size: 1426557]
/9 (Status: 200) [Size: 1190575]
/.htaccess (Status: 403) [Size: 278]
[ERROR] 2023/05/27 00:00:15 [!] context deadline exceeded (Client.Timeout or context
cancellation while reading body)
[ERROR] 2023/05/27 00:00:16 [!] context deadline exceeded (Client.Timeout or context
cancellation while reading body)
Progress: 602 / 43010 (1.40%)[ERROR] 2023/05/27 00:00:16 [!] context deadline
exceeded (Client.Timeout or context cancellation while reading body)
/11 (Status: 200) [Size: 627909]
/10 (Status: 200) [Size: 2275927]
/6 (Status: 200) [Size: 2115495]
/12 (Status: 200) [Size: 2203486]
/15 (Status: 200) [Size: 3477315]
/16 (Status: 200) [Size: 2468462]
/13 (Status: 200) [Size: 3673497]
/14 (Status: 200) [Size: 3838999]
/18 (Status: 200) [Size: 2036137]
/17 (Status: 200) [Size: 3551807]
/.htc (Status: 403) [Size: 278]
/00 (Status: 200) [Size: 127]
/.html_var_DE (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
dev notes from valleyDev:
-add wedding photo examples
Now we're over target! :D
/dev1243224123123
We are presented with a simple login page.
The source from the page has some links to some .js files. So I decided it would probably be a good idea
to fuzz for js files :P
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts
200 GET 16l 85w 696c
http://10.10.120.101/dev1243224123123/button.js
200 GET 107l 244w 2014c
http://10.10.120.101/dev1243224123123/style.css
200 GET 63l 123w 1423c
http://10.10.120.101/dev1243224123123/dev.js
Theres a few of them! The two from the page source and two more: dev.js and old.js
dev.js
200 GET 34l 66w 967c http://10.10.120.101/dev1243224123123/
200 GET 76l 236w 2140c
http://10.10.120.101/dev1243224123123/old.js
200 GET 34l 66w 967c
http://10.10.120.101/dev1243224123123/index.html
const loginForm = document.getElementById("login-form");
const loginButton = document.getElementById("login-form-submit");
const loginErrorMsg = document.getElementById("login-error-msg");
loginForm.style.border = '2px solid #ccc';
loginForm.style.padding = '20px';
loginButton.style.backgroundColor = '#007bff';
loginButton.style.border = 'none';
loginButton.style.borderRadius = '5px';
loginButton.style.color = '#fff';
loginButton.style.cursor = 'pointer';
loginButton.style.padding = '10px';
loginButton.style.marginTop = '10px';
function isValidUsername(username) {
if(username.length < 5) {
console.log("Username is valid");
}
else {
console.log("Invalid Username");
}
}
function isValidPassword(password) {
if(password.length < 7) {
console.log("Password is valid");
}
else {
console.log("Invalid Password");
}
}
function showErrorMessage(element, message) {
const error = element.parentElement.querySelector('.error');
error.textContent = message;
error.style.display = 'block';
}
loginButton.addEventListener("click", (e) => {
e.preventDefault();
Theres some interesting info here! Notably "if (username = "siemDev" && password = "california")"
We get some interesting info when we use the creds to login to the webpage.
FTP access
I tried to use the creds for SSH but they didnt work, I remembered there was a FTP that I didnt have creds
for so I decided to give it a try.
There are three pcap files, I downloaded them and started analyzing them.
Wireshark
The first two pcap files, siemFTP and HTTP1 didnt have any relevant info (at least none that I could find)
but siemHTTP2.pcapng had some goodies :D
const username = loginForm.username.value;
const password = loginForm.password.value;
if (username === "siemDev" && password === "california") {
window.location.href = "/dev1243224123123/devNotes37370.txt";
} else {
loginErrorMsg.style.opacity = 1;
}
})
There are credentials in the file! :D
Initial access
So it turns out the credentials from the pcap file work for SSH! :D
Grabbed user.txt and uploaded linPEAS to /dev/shm
valleyDev --> valley escalation
Theres a binary thats just chillin out in /home. I downloaded it to my machine and started analyzing it.
valleyAuthenticator binary
When you run the binary it prompts for a username and password. I tried all combinations from currently
known creds but nothing worked.
I decided to run 'binwalk -W' on the binary. There was something interesting at the very bottom "UPX!" So
I decided to google it. (Its also at the end of the file if you just run strings against it.)
Its an executable packer, we should be able to decompress it and hopefully get some information from it.
Luckily Kali comes with upx already installed.
Ok, it did something, it says its now unpacked. Lets look at it again now that its (hopefully) unpacked.
Theres a ton of stuff to look through, but knowing that the binary prints 'Welcome to Valley in.
Authenticator' when you run it I just used CTRL+S to search for the word 'Welcome' and theres two
interesting things above the word 'Welcome' they look like MD5's
It looks like they are MD5!
Crackstation cracked them! :DDD Now we can move from valleyDev to valley!
hash-identifier 'dd2921cc76ee3abfd2beb60709056cfb'
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
e6722920bab2326f8217e4bf6b1b58ac
dd2921cc76ee3abfd2beb60709056cfb
ssh valley@10.10.120.101
valley@10.10.120.101's password:
It works! Now we are a higher privileged user!
Escalation to root
Earlier I noticed there was a /photos directory in root the machine. It has some interesting files inside of it.
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-139-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your
Internet connection or proxy settings
valley@valley:~$ ls -lah
total 84K
drwxr-x--- 16 valley valley 4.0K Mar 20 20:54 .
drwxr-xr-x 5 root root 4.0K Mar 6 13:19 ..
-rw------- 1 valley valley 0 Mar 21 07:30 .bash_history
-rw-r--r-- 1 valley valley 220 Aug 15 2022 .bash_logout
-rw-r--r-- 1 valley valley 3.7K Aug 15 2022 .bashrc
drwx------ 12 valley valley 4.0K Mar 20 20:02 .cache
drwx------ 14 valley valley 4.0K Mar 6 13:45 .config
drwxr-xr-x 2 valley valley 4.0K Mar 3 10:01 Desktop
drwxr-xr-x 2 valley valley 4.0K Aug 11 2022 Documents
drwxr-xr-x 2 valley valley 4.0K Mar 6 13:39 Downloads
drwxrwxrwx 2 valley valley 4.0K Mar 20 15:06 exp_dir
drwx------ 3 valley valley 4.0K Mar 3 10:28 .gnupg
drwxr-xr-x 3 valley valley 4.0K Aug 15 2022 .local
drwxr-xr-x 2 valley valley 4.0K Aug 11 2022 Music
drwxr-xr-x 2 valley valley 4.0K Aug 11 2022 Pictures
-rw-r--r-- 1 valley valley 807 Aug 15 2022 .profile
drwxr-xr-x 2 valley valley 4.0K Aug 11 2022 Public
-rw-rw-r-- 1 valley valley 66 Aug 15 2022 .selected_editor
drwx------ 2 valley valley 4.0K Aug 15 2022 .ssh
drwxr-xr-x 2 valley valley 4.0K Aug 11 2022 Templates
drwxr-xr-x 2 valley valley 4.0K Aug 11 2022 Videos
-rw-rw-r-- 1 valley valley 174 Mar 20 14:42 .wget-hsts
valleyDev@valley:/photos$ ls -lah
total 21M
drwxr-xr-x 4 root root 4.0K Mar 6 15:41 .
drwxr-xr-x 21 root root 4.0K Mar 6 15:40 ..
-rw-rw-r-- 1 valley valley 1.9M Mar 6 13:38 p1.jpg
-rw-rw-r-- 1 valley valley 7.6M Mar 6 13:38 p2.jpg
-rw-rw-r-- 1 valley valley 2.9M Mar 6 13:38 p3.jpg
-rw-rw-r-- 1 valley valley 2.2M Mar 6 13:38 p4.jpg
-rw-rw-r-- 1 valley valley 1.7M Mar 6 13:38 p5.jpg
-rw-rw-r-- 1 valley valley 4.3M Mar 6 13:38 p6.jpg
drwxr-xr-x 2 root root 4.0K Mar 6 15:43 photoVault
drwxr-xr-x 2 root root 4.0K Mar 6 19:46 script
valleyDev@valley:/photos$ cd script
valleyDev@valley:/photos/script$ ls -lah
total 12K
drwxr-xr-x 2 root root 4.0K Mar 6 19:46 .
Theres a single python file inside of the script directory.
It takes image files inside of the photos directory, opens them and reads their contents, then base64
encodes said contents and then saves the encoded contents to the photoVault directory. I dont have write
permissions anywhere in /photos but the script is run by root so this may be a possible vector.
Looking back at linPEAS, we have group write permissions on '/usr/lib/python3.8/base64.py'
I did a quick google search for "base64.py privilege escalation" and found a link detailing what I think has
to be done here.
drwxr-xr-x 4 root root 4.0K Mar 6 15:41 ..
-rwxr-xr-x 1 root root 621 Mar 6 15:43 photosEncrypt.py
#!/usr/bin/python3
import base64
for i in range(1,7):
# specify the path to the image file you want to encode
image_path = "/photos/p" + str(i) + ".jpg"
# open the image file and read its contents
with open(image_path, "rb") as image_file:
image_data = image_file.read()
# encode the image data in Base64 format
encoded_image_data = base64.b64encode(image_data)
# specify the path to the output file
output_path = "/photos/photoVault/p" + str(i) + ".enc"
# write the Base64-encoded image data to the output file
with open(output_path, "wb") as output_file:
output_file.write(encoded_image_data)
https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-
a31e6a9860c8
So reading this post, it seems that all that has to be done is add commands to the script, they showcase a
simple 'whoami'
I added a reverse shell in the location where the author of the article added the 'whoami' command.
Dont forget to add 'import os' to the top of the script :P
Forgot to add, while running pspy earlier we can see that the 'photosEncrypt.py' script runs every minute.
Started a netcat listener on 9001, and after a minute I got a reverse shell as root! :DDD
GG